Suspicious Print Spooler Point and Print DLL

  1[metadata]
  2creation_date = "2020/11/26"
  3integration = ["endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects attempts to exploit a privilege escalation vulnerability (CVE-2020-1030) related to the print spooler service.
 11Exploitation involves chaining multiple primitives to load an arbitrary DLL into the print spooler process running as
 12SYSTEM.
 13"""
 14from = "now-9m"
 15index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"]
 16language = "eql"
 17license = "Elastic License v2"
 18name = "Suspicious Print Spooler Point and Print DLL"
 19note = """## Triage and analysis
 20
 21> **Disclaimer**:
 22> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 23
 24### Investigating Suspicious Print Spooler Point and Print DLL
 25
 26The Windows Print Spooler service manages print jobs and is integral to printing operations. Adversaries exploit vulnerabilities like CVE-2020-1030 to escalate privileges by loading malicious DLLs into the spooler process, which runs with SYSTEM-level permissions. The detection rule identifies suspicious registry modifications linked to the Print Spooler, indicating potential exploitation attempts by monitoring specific registry paths and data patterns.
 27
 28### Possible investigation steps
 29
 30- Review the registry paths specified in the alert to confirm any unauthorized modifications, focusing on the paths: HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\*\\SpoolDirectory and HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\*\\CopyFiles\\Payload\\Module.
 31- Check the registry data strings for any unexpected or suspicious DLLs located in C:\\Windows\\System32\\spool\\drivers\\x64\\4, which may indicate a malicious payload.
 32- Investigate the host identified by host.id to determine if there are any other signs of compromise or unusual activity, such as unexpected processes or network connections.
 33- Correlate the alert with other security events or logs from the same host to identify any related activities or patterns that could suggest a broader attack.
 34- Assess the system's patch level and update status to ensure that all known vulnerabilities, including CVE-2020-1030, have been addressed and mitigated.
 35- If a malicious DLL is confirmed, isolate the affected system to prevent further exploitation and begin remediation efforts, such as removing the malicious files and restoring the system to a known good state.
 36
 37### False positive analysis
 38
 39- Legitimate printer driver updates or installations may trigger the rule due to registry modifications in the specified paths. Users can create exceptions for known and trusted driver update processes to prevent false alerts.
 40- Custom print configurations by IT departments that modify the SpoolDirectory or CopyFiles registry paths might be flagged. Document and exclude these configurations if they are verified as safe and necessary for business operations.
 41- Automated scripts or software that manage printer settings and inadvertently modify the monitored registry paths can cause false positives. Identify and whitelist these scripts or applications after confirming their legitimacy.
 42- Third-party print management solutions that interact with the Print Spooler service may lead to false detections. Evaluate these solutions and exclude their known benign activities from the detection rule.
 43
 44### Response and remediation
 45
 46- Immediately isolate the affected system from the network to prevent further exploitation or lateral movement by the adversary.
 47- Terminate the Print Spooler service on the compromised system to stop any ongoing malicious activity and prevent further DLL loading.
 48- Conduct a thorough scan of the system using updated antivirus and anti-malware tools to identify and remove any malicious DLLs or related files.
 49- Review and restore the registry paths identified in the detection query to their default values to ensure no malicious configurations remain.
 50- Apply the latest security patches and updates from Microsoft to address CVE-2020-1030 and other known vulnerabilities in the Print Spooler service.
 51- Monitor the network for any signs of similar exploitation attempts, focusing on the registry paths and data patterns specified in the detection rule.
 52- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network."""
 53references = [
 54    "https://www.accenture.com/us-en/blogs/cyber-defense/discovering-exploiting-shutting-down-dangerous-windows-print-spooler-vulnerability",
 55    "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Privilege%20Escalation/privesc_sysmon_cve_20201030_spooler.evtx",
 56    "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1030",
 57]
 58risk_score = 73
 59rule_id = "bd7eefee-f671-494e-98df-f01daf9e5f17"
 60severity = "high"
 61tags = [
 62    "Domain: Endpoint",
 63    "OS: Windows",
 64    "Use Case: Threat Detection",
 65    "Tactic: Privilege Escalation",
 66    "Data Source: Elastic Endgame",
 67    "Use Case: Vulnerability",
 68    "Data Source: Elastic Defend",
 69    "Data Source: Sysmon",
 70    "Resources: Investigation Guide",
 71]
 72type = "eql"
 73
 74query = '''
 75sequence by host.id with maxspan=30s
 76[registry where host.os.type == "windows" and
 77 registry.path : (
 78    "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\*\\SpoolDirectory",
 79    "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\*\\SpoolDirectory"
 80    ) and
 81 registry.data.strings : "C:\\Windows\\System32\\spool\\drivers\\x64\\4"]
 82[registry where host.os.type == "windows" and
 83 registry.path : (
 84    "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\*\\CopyFiles\\Payload\\Module",
 85    "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\*\\CopyFiles\\Payload\\Module"
 86    ) and
 87 registry.data.strings : "C:\\Windows\\System32\\spool\\drivers\\x64\\4\\*"]
 88'''
 89
 90
 91[[rule.threat]]
 92framework = "MITRE ATT&CK"
 93[[rule.threat.technique]]
 94id = "T1068"
 95name = "Exploitation for Privilege Escalation"
 96reference = "https://attack.mitre.org/techniques/T1068/"
 97
 98
 99[rule.threat.tactic]
100id = "TA0004"
101name = "Privilege Escalation"
102reference = "https://attack.mitre.org/tactics/TA0004/"